Using GrokEVT to convert Windows Server 2003 Logs to CSV

apmarsenault · 10-17-2008, 10:38 AM

I am trying to set up GrokEVT so that I can generate .csv files of our Windows server logs here at the office. I like the control a .csv gives me compared to the Windows Event Viewer.

I also like that GrokEVT will glean all information in regards to the event logs including pulling from DLLs and the registry instead of just the .evt files.

I have installed and configured GrokEVT for my system just as the man page instructions say, but when it comes time for me to run grokevt-builddb (build a database for event log conversion) on my configuration file, I receive the following error:

Code:

root@ubuntu:/usr/local/etc/grokevt/systems# grokevt-builddb 22c /var/db/grokevt/22c
WARNING: reglookup reported: ERROR: Couldn't open registry file: /media/22C/WINDOWS/system32/config/system
ERROR: Could not automatically determine CONTROL_SET_ID

The first message in this case is most certainly because the system file is in use. Servers are always supposed to be running, and I doubt a Windows server would ever unlock this registry file that reglookup (a dependency of GrokEVT) needs to read.

This theory is further proven by the output of the cp command, saying the text file is in use:

Code:

cp: cannot open `/media/20C/WINDOWS/system32/config/system' for reading: Text file busy

I have mounted the local drives of all of our servers via Samba. Has anyone else experienced these difficulties with building a database for log file conversion, or accessing any registry files while using GrokEVT/reglookup?

I have, of course, Googled to no avail (frighteningly few search results), as well as checked permissions on the files and parent directories. It is clear that the file is locked by Windows and I need to find some way to circumvent this lock through the Samba file share so reglookup can read the file.

Any help would be greatly appreciated.

Thanks!

mikepeters76 · 12-11-2009, 07:14 AM

did you ever get this resolved? I think this should be bumped to the application thread or the security thread.

Anyway I am having similar issues while trying to run grokevt against W2K event logs. I am doing a forensic investigation and this is the error I get when I run

Code:

sudo grokevt-builddb /usr/local/etc/grokevt/systems/TBG1 ./db/grokevt/TBG1/

Quote:

ERROR: [Errno 2] No such file or directory: '/media/try_tbg1/winnt/system32/config/appevent.evt'
ERROR: could not copy all log files.

When I try to cd to /media/try_tbg1/winnt I notice that I cannot cd to it because winnt is "WINNT" and the mount is still case sensitive.

The man for grokevt specifies that you have to mount your images with the -o posix=0 option. I have tried the following but it seems that I am still getting a case sensitive mount:

Code:

sudo mount -t ntfs -o posix=0 /dev/loop0 /media/try_tbg1/

I had a look at the man for mount and is says that -o posix=0 is depricated for -t ntfs.

Does anybody know if there is another way to mount an image file, it is a loop device actually as I have the entire drive imaged, to make sure that it is mounted case-insensitive?

GrapefruiTgirl · 12-16-2009, 10:14 AM

Since this thread is not directly security related, despite the potential use of the software in a security context, I've moved it to /Software, since it appears to be more of a "..this software is giving me trouble.." question.

Sasha